Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
FIX: Malware Scanning takes longer than expected in Microsoft Forefront Threat Management Gateway 2010 when you set the "Block files larger than (MB)" option to allow very large files
Article ID: 2518663 - View products that this article applies to.
Important This article contains information that shows you how to help to lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, Microsoft recommends that you evaluate the risks that are associated with implementing this resolution in your particular environment. If you choose to implement this resolution, take any appropriate additional steps to help to protect your system.
When you use Microsoft Forefront Threat Management Gateway (TMG) 2010 Malware Scanning, you can limit the size of files that are downloaded by using the Block files larger than (MB) option.
Note The Block files larger than (MB)option is on the Inspection Settings tab of the Malware Inspection dialog box.
If you set the value for this option so that TMG 2010 scans very large files, TMG Malware Scanning takes longer than expected. For example, a 4 gigabyte (GB) file can take as long as 30 minutes for the Malware Inspection engine to scan.
Note You cannot configure TMG Malware Scanning to perform a partial scan and to scan only the first few megabytes of downloaded files.
Warning This resolution may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. Microsoft does not recommend this resolution but is providing this information so that you can choose to implement this resolution at your own discretion. Use this resolution at your own risk.
To resolve this issue, install the software update that is described in the following Microsoft Knowledge Base article:
2517957This hotfix introduces a new setting, ScanMaxSizeOnlyIfExceeds. This setting changes the behavior of the Block files larger than (MB) configuration setting from being a limit on the maximum size of downloaded files to a partial scan limit in megabytes when you set ScanMaxSizeOnlyIfExceeds to True.
(http://support.microsoft.com/kb/2517957/ )Software Update 1 Rollup 4 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 1
When ScanMaxSizeOnlyIfExceeds is set to True, no size limit is applied to downloaded files. However, when you download a file is larger than the value that is set in the Block files larger than (MB) option, only a portion of the file (equal to the size that is set in that option) is scanned.
The default setting of ScanMaxSizeOnlyIfExceeds is False. You can apply this setting at the Array level or at the Rule level. To enable the setting by using a script, select the appropriate script from the ones that are presented below, and then run it on one of the array members. You can also use the TMG Management Console to set the value of Block files larger than (MB) option.
Arrary level scriptCopy the following script into Notepad, save the script with the name EnableMaxSizeScanAllowRule.vbs, and then at a command prompt run the script as follows:
Rule level scriptCopy the following script into Notepad, save the script with the name EnableMaxSizeScanAllowRule.vbs, and then at a command prompt run the script as follows:
cscript EnableMaxSizeScanAllowRule /RuleName:”MyRule”Replace the placeholder MyRule with the name of the relevent TMG Access rule.
To revert the changes that you made by using the Array script or the Rule script, and to revert to the default behavior of the Block files larger than (MB) setting, edit the relevant script and change the following line from:
Const SE_VPS_VALUE = trueTo:
Const SE_VPS_VALUE = falseThen, rerun the script using the appropriate instructions.
Important! Please be aware that, when you set ScanMaxSizeOnlyIfExceeds to False, you introduce a security risk. This occurs because a large file that contains malware in the unscanned section of the file could be passed by TMG to the client.
Microsoft recommends full file scanning. Therefore, we advise that you use this setting only after you carefully consider the risk and only if you use a defense-in-depth approach to malware detection, including appropriate client-side anti-malware software.
Article ID: 2518663 - Last Review: June 15, 2011 - Revision: 1.0